Geoff Caplan wrote:
> I'm new to Postgres and trying to get up to speed on the security
> issues. There seems to be remarkably little Postgres specific stuff
> on preventing SQL injection attacks.
If you use prepared statements (the details of which vary by programming
language), you should be quite safe.
> Most of the online literature is on MS SQL Server. There, the
> consensus seems to be that the range of potential attacks is so wide
> that attempting to spot attack signatures in posted data is a doomed
> enterprise, and that the safest general approach for any dynamically
> built query is to execute it as a stored procedure.
That won't necessarily help you on PostgreSQL, because in stored
procedures you can paste together queries from user-provided strings.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/